Brussels seeks common approach to 5G security threats

(BRUSSELS) - The EU Commission recommended a common EU approach to 5G security Tuesday, setting out measures to ensure 5G infrastructures are resilient and secure from technical or legal 'backdoors'.

Fifth generation (5G) networks are set to form the future backbone of our societies and economies, connecting billions of objects and systems, including in critical sectors such as energy, transport, banking, and health, as well as industrial control systems carrying sensitive information and supporting safety systems.

Democratic processes, such as elections, increasingly rely on digital infrastructures and 5G networks, highlighting the need to address any vulnerabilities and making the Commission's recommendations all the more pertinent ahead of the European Parliament elections in May.

The EU executive is recommending a set of actions to assess cybersecurity risks of 5G networks and to strengthen preventive measures. These combine legislative and policy instruments meant to protect economies, societies and democratic systems. With worldwide 5G revenues estimated at EUR 225 billion in 2025, 5G is a key asset for Europe to compete in the global market and its cybersecurity is crucial for ensuring the strategic autonomy of the Union.

"The resilience of our digital infrastructure is critical to government, business, the security of our personal data and the functioning of our democratic institutions," said Commissioner Julian King. While Commissioner Mariya Gabriel added: "Protecting 5G networks aims at protecting the infrastructure that will support vital societal and economic functions – such as energy, transport, banking, and health, as well as the much more automated factories of the future. It also means protecting our democratic processes, such as elections, against interference and the spread of disinformation."

The Commission says any vulnerability in 5G networks or a cyber-attack targeting the future networks in one Member State would affect the Union as a whole. For this reason, it says concerted measures taken both at national and European levels need to ensure a high level of cybersecurity.

The Commission's Recommendation sets out a series of operational measures:

1. At national level

Each Member State should complete a national risk assessment of 5G network infrastructures by the end of June 2019. On this basis, Member States should update existing security requirements for network providers and include conditions for ensuring the security of public networks, especially when granting rights of use for radio frequencies in 5G bands. These measures should include reinforced obligations on suppliers and operators to ensure the security of the networks. The national risk assessments and measures should consider various risk factors, such as technical risks and risks linked to the behaviour of suppliers or operators, including those from third countries. National risk assessments will be a central element towards building a coordinated EU risk assessment.

EU Member States have the right to exclude companies from their markets for national security reasons, if they do not comply with the country's standards and legal framework.

2. At EU level

Member States should exchange information with each other and with the support of the Commission and the European Agency for Cybersecurity (ENISA), will complete a coordinated risk assessment by 1 October 2019. On that basis, Member States will agree on a set of mitigating measures that can be used at national level. These can include certification requirements, tests, controls, as well as the identification of products or suppliers that are considered potentially non-secure. This work will be done by the Cooperation Group of competent authorities, as set out under the Directive on Security of Network and Information Systems, with the help of the Commission and ENISA. This coordinated work should support Member States' actions at national level and provide guidance to the Commission for possible further steps at EU level. In addition, Member States should develop specific security requirements that could apply in the context of public procurement related to 5G networks, including mandatory requirements to implement cybersecurity certification schemes.

The Recommendation will make use of the wide-range of instruments already in place or agreed to reinforce cooperation against cyber-attacks and enable the EU to act collectively in protecting its economy and society, including the first EU-wide legislation on cybersecurity (Directive on Security of Network and Information Systems), the Cybersecurity Act recently approved by the European Parliament, and the new telecoms rules. The Recommendation will help Member States to implement these new instruments in a coherent manner when it comes to 5G security.

In the field of cybersecurity, the future European cybersecurity certification framework for digital products, processes and services foreseen in the Cybersecurity Act should provide an essential supporting tool to promote consistent levels of security. When implementing it, Member States should also immediately and actively engage with all other involved stakeholders in the development of dedicated EU-wide certification schemes related to 5G. Once they become available, Member States should make certification in this area mandatory through national technical regulations.

In the field of telecoms, Member States have to ensure that the integrity and security of public communications networks are maintained, with obligations to ensure that operators take technical and organisational measures to appropriately manage the risks posed to security of networks and services.